Merge pull request #1481 from gravitl/bugfix_v0.14.7_freebsd_postup-postdown

freebsd saving post up/post down command to conf file

logic/gateway.go

@@ -56,6 +56,7 @@ func CreateEgressGateway(gateway models.EgressGatewayRequest) (models.Node, erro
 		}
 	}
 	if node.OS == "freebsd" {
+		// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
 		postUpCmd = "kldload ipfw ipfw_nat ; "
 		postUpCmd += "ipfw disable one_pass ; "
 		postUpCmd += "ipfw nat 1 config if " + gateway.Interface + " same_ports unreg_only reset ; "
@@ -285,6 +286,7 @@ func DeleteGatewayExtClients(gatewayID string, networkName string) error {
 
 // firewallNFTCommandsCreateIngress - used to centralize firewall command maintenance for creating an ingress gateway using the nftables firewall.
 func firewallNFTCommandsCreateIngress(networkInterface string) (string, string) {
+	// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
 	postUp := "nft add table ip filter ; "
 	postUp += "nft add chain ip filter FORWARD ; "
 	postUp += "nft add rule ip filter FORWARD iifname " + networkInterface + " counter accept ; "
@@ -302,6 +304,7 @@ func firewallNFTCommandsCreateIngress(networkInterface string) (string, string)
 
 // firewallNFTCommandsCreateEgress - used to centralize firewall command maintenance for creating an egress gateway using the nftables firewall.
 func firewallNFTCommandsCreateEgress(networkInterface string, gatewayInterface string, egressNatEnabled string) (string, string) {
+	// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
 	postUp := "nft add table ip filter ; "
 	postUp += "nft add chain ip filter FORWARD ; "
 	postUp += "nft add rule ip filter FORWARD iifname " + networkInterface + " counter accept ; "
@@ -322,6 +325,7 @@ func firewallNFTCommandsCreateEgress(networkInterface string, gatewayInterface s
 
 // firewallIPTablesCommandsCreateIngress - used to centralize firewall command maintenance for creating an ingress gateway using the iptables firewall.
 func firewallIPTablesCommandsCreateIngress(networkInterface string) (string, string) {
+	// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
 	postUp := "iptables -A FORWARD -i " + networkInterface + " -j ACCEPT ; "
 	postUp += "iptables -A FORWARD -o " + networkInterface + " -j ACCEPT ; "
 	postUp += "iptables -t nat -A POSTROUTING -o " + networkInterface + " -j MASQUERADE"
@@ -336,7 +340,7 @@ func firewallIPTablesCommandsCreateIngress(networkInterface string) (string, str
 
 // firewallIPTablesCommandsCreateEgress - used to centralize firewall command maintenance for creating an egress gateway using the iptables firewall.
 func firewallIPTablesCommandsCreateEgress(networkInterface string, gatewayInterface string, egressNatEnabled string) (string, string) {
-
+	// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
 	postUp := "iptables -A FORWARD -i " + networkInterface + " -j ACCEPT; "
 	postUp += "iptables -A FORWARD -o " + networkInterface + " -j ACCEPT"
 	postDown := "iptables -D FORWARD -i " + networkInterface + " -j ACCEPT; "

netclient/wireguard/common.go

@@ -2,7 +2,6 @@ package wireguard
 
 import (
 	"fmt"
-	"log"
 	"net"
 	"runtime"
 	"strconv"
@@ -52,7 +51,7 @@ func SetPeers(iface string, node *models.Node, peers []wgtypes.PeerConfig) error
 				currentPeer.PublicKey.String() != peer.PublicKey.String() {
 				_, err := ncutils.RunCmd("wg set "+iface+" peer "+currentPeer.PublicKey.String()+" remove", true)
 				if err != nil {
-					log.Println("error removing peer", peer.Endpoint.String())
+					logger.Log(0, "error removing peer", peer.Endpoint.String())
 				}
 			}
 		}
@@ -82,7 +81,7 @@ func SetPeers(iface string, node *models.Node, peers []wgtypes.PeerConfig) error
 				" allowed-ips "+allowedips, true)
 		}
 		if err != nil {
-			log.Println("error setting peer", peer.PublicKey.String())
+			logger.Log(0, "error setting peer", peer.PublicKey.String())
 		}
 	}
 
@@ -104,7 +103,7 @@ func SetPeers(iface string, node *models.Node, peers []wgtypes.PeerConfig) error
 				if shouldDelete {
 					output, err := ncutils.RunCmd("wg set "+iface+" peer "+currentPeer.PublicKey.String()+" remove", true)
 					if err != nil {
-						log.Println(output, "error removing peer", currentPeer.PublicKey.String())
+						logger.Log(0, output, "error removing peer", currentPeer.PublicKey.String())
 					}
 				}
 				for _, ip := range currentPeer.AllowedIPs {
@@ -341,11 +340,24 @@ func WriteWgConfig(node *models.Node, privateKey string, peers []wgtypes.PeerCon
 	//if node.DNSOn == "yes" {
 	//	wireguard.Section(section_interface).Key("DNS").SetValue(cfg.Server.CoreDNSAddr)
 	//}
+	//need to split postup/postdown because ini lib adds a ` and the ` breaks freebsd
 	if node.PostUp != "" {
-		wireguard.Section(section_interface).Key("PostUp").SetValue(node.PostUp)
+		parts := strings.Split(node.PostUp, " ; ")
+		for i, part := range parts {
+			if i == 0 {
+				wireguard.Section(section_interface).Key("PostUp").SetValue(part)
+			}
+			wireguard.Section(section_interface).Key("PostUp").AddShadow(part)
+		}
 	}
 	if node.PostDown != "" {
-		wireguard.Section(section_interface).Key("PostDown").SetValue(node.PostDown)
+		parts := strings.Split(node.PostDown, " ; ")
+		for i, part := range parts {
+			if i == 0 {
+				wireguard.Section(section_interface).Key("PostDown").SetValue(part)
+			}
+			wireguard.Section(section_interface).Key("PostDown").AddShadow(part)
+		}
 	}
 	if node.MTU != 0 {
 		wireguard.Section(section_interface).Key("MTU").SetValue(strconv.FormatInt(int64(node.MTU), 10))
@@ -451,11 +463,24 @@ func UpdateWgInterface(file, privateKey, nameserver string, node models.Node) er
 	//if node.DNSOn == "yes" {
 	//	wireguard.Section(section_interface).Key("DNS").SetValue(nameserver)
 	//}
+	//need to split postup/postdown because ini lib adds a quotes which breaks freebsd
 	if node.PostUp != "" {
-		wireguard.Section(section_interface).Key("PostUp").SetValue(node.PostUp)
+		parts := strings.Split(node.PostUp, " ; ")
+		for i, part := range parts {
+			if i == 0 {
+				wireguard.Section(section_interface).Key("PostUp").SetValue(part)
+			}
+			wireguard.Section(section_interface).Key("PostUp").AddShadow(part)
+		}
 	}
 	if node.PostDown != "" {
-		wireguard.Section(section_interface).Key("PostDown").SetValue(node.PostDown)
+		parts := strings.Split(node.PostDown, ";")
+		for i, part := range parts {
+			if i == 0 {
+				wireguard.Section(section_interface).Key("PostDown").SetValue(part)
+			}
+			wireguard.Section(section_interface).Key("PostDown").AddShadow(part)
+		}
 	}
 	if node.MTU != 0 {
 		wireguard.Section(section_interface).Key("MTU").SetValue(strconv.FormatInt(int64(node.MTU), 10))